---
id: users
title: User management - Temporal Cloud feature guide
sidebar_label: Users
description: Learn how to manage user invitations, account-level roles, and Namespace-level permissions in Temporal Cloud. Invite users, update roles, and delete users seamlessly using the Temporal Web UI, tcld, or the Cloud Ops API.
slug: /cloud/users
toc_max_heading_level: 4
keywords:
  - explanation
  - how-to
  - introduction
  - namespace
  - namespaces
  - temporal cloud
  - temporal cloud account
  - users
tags:
  - Temporal Cloud
  - Namespaces
  - Users
---

- [How to invite users to your Temporal Cloud account](#invite-users)
- [What are the account-level roles?](#account-level-roles)
- [What are the Namespace-level permissions?](#namespace-level-permissions)
- [How to update an account-level Role in Temporal Cloud](#update-roles)
- [How to update Namespace-level permissions in Temporal Cloud](#update-permissions)
- [How to delete a user from your Temporal Cloud account](#delete-users)

## How to invite users to your Temporal Cloud account {#invite-users}

:::caution
Access to Temporal Cloud can be authorized via Google OAuth single sign-on, Microsoft single sign-on, or SAML, depending on your setup.

If you are using Google OAuth for single sign-on and an email address is not associated with a Google Account, the user must follow the instructions in the [Use an existing email address](https://support.google.com/accounts/answer/27441?hl=en#existingemail) section of [Create a Google Account](https://support.google.com/accounts/answer/27441).

**Important:** Do _not_ create a Gmail account when creating a Google Account.

If your organization uses Google Workspace or Microsoft Azure AD, and your IT administrator has enabled controls over single sign-on permissions, then you will need to work with your IT administrator to allow logins to Temporal Cloud.

:::

When a user is created in Temporal Cloud, they receive an email invitation containing a link.
They must use this link to finalize their setup and access Temporal Cloud.
Accounts with SAML configurations can ignore this email.
However, those using Google or Microsoft for SSO authentication need to follow the email link for their initial login to Temporal Cloud.

:::info

To invite users, a user must have the Global Admin or Account Owner account-level [role](#account-level-roles).

:::

### Roles and permissions

Each user in Temporal Cloud is assigned a role.
Each user can be assigned permissions for individual Namespaces.

- [Account-level roles](#account-level-roles)
- [Namespace-level permissions](#namespace-level-permissions)

{/* How to invite users to your Temporal Cloud account using Web UI */}

### How to invite users using Web UI

1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page, select **Create Users** in the upper-right portion of the window.
1. On the **Create Users** page in the **Email Addresses** box, type or paste one or more email addresses.
1. In **Account-Level Role**, select a [Role](#account-level-roles).
   The Role applies to all users whose email addresses appear in **Email Addresses**.
1. If the account has any Namespaces, they are listed under **Grant access to Namespaces**.
   To add a permission, select the checkbox next to a Namespace, and then select a [permission](#namespace-level-permissions).
   Repeat as needed.
1. When all permissions are assigned, select **Send Invite**.

Temporal sends an email message to each user.
To join Temporal Cloud, a user must select **Accept Invite** in the message.

{/* How to invite a user to your Temporal Cloud account using tcld */}

### How to invite a user using tcld

For details, see the [tcld user invite](/cloud/tcld/user/#invite) command.

Temporal sends an email message to the specified user.
To join Temporal Cloud, the user must select **Accept Invite** in the message.

### How to invite a user using the Cloud Ops API

You can invite users pragmatically using the Cloud Ops API.

1. Create a connection to your Temporal Service using the Cloud Operations API.
2. Use the [CreateUser service](https://github.com/temporalio/api-cloud/blob/main/temporal/api/cloud/cloudservice/v1/service.proto) to create a user.

## What are the account-level roles for users in Temporal Cloud? {#account-level-roles}

When an Account Owner or Global Admin invites a user to join an account, they select one of the following roles for that user:

- **Global Admin**
  - Has full administrative permissions across the account, including users and usage
  - Has Namespace Admin [permissions](#namespace-level-permissions) on all [Namespaces](/namespaces) in the account
- **Developer**
  - Can create and update Namespaces; has full control over [Workflows](/workflows)
  - Has Namespace Admin permissions for each Namespace created by that user
- **Read-Only:** Can only read information

In addition, there are two roles that the Global Admin cannot assign:

- **Account Owner**
  - Has full administrative permissions across the account, including users, usage and [billing](/cloud/billing-and-cost)
  - Has Namespace Admin [permissions](#namespace-level-permissions) on all [Namespaces](/namespaces) in the account
- **Finance Admin**
  - Has permissions to view [billing](/cloud/billing-and-cost) information and update payment information
  - Otherwise, has the same permissions as Account Read-only users
  - Can only be assigned by an Account Owner

:::note Default Role

When the account is created, the initial user who logs in is automatically assigned the Account Owner role.
If your account does not have an Account Owner, please reach out to [Support](https://temporalsupport.zendesk.com/) to assign the appropriate individual to this role.

:::

## Using the Account Owner role

The Account Owner role (i.e., users with the Account Owner system role) holds the highest level of access in the system.
This role configures account-level parameters and manages Temporal billing and payment information.
It allows users to perform all actions within the Temporal Cloud account.

:::tip Best Practices

Temporal strongly recommends the following precautions when assigning the Account Owner role to users:

- Assign the role to at least two users in your organization.
  Otherwise, limit the number of users with this role.
- Associate a person’s direct email address to the Account Owner, rather than a shared or generic address, so Temporal Support can contact the right person in urgent situations.

This latter rule is useful for anyone on your team who may need to be contacted urgently, regardless of their Account role.

:::

## What are the Namespace-level permissions for users in Temporal Cloud? {#namespace-level-permissions}

An Account Owner or Global Admin can assign permissions for any [Namespace](/namespaces) in an account.
A Developer can assign permissions for a Namespace they create.

For a Namespace, a user can have one of the following permissions:

- **Namespace Admin:** Can [create](/cloud/namespaces#create-a-namespace) and [edit Namespaces](/cloud/namespaces#manage-namespaces); can create, rename, update, and delete [Workflows](/workflows)
- **Write:** Can create, rename, update, and delete Workflows within the Namespace
- **Read-Only:** Can only read information from the Namespace

## How to update an account-level role in Temporal Cloud {#update-roles}

With Global Admin or Account Owner privileges, you can update any user's account-level [role](#account-level-roles) using either the Web UI or `tcld`.
This does not apply to the Account Owner role.
For security purposes, Account Owners can only be changed through Temporal Support.
To create, update, or delete an Account Owner, you must submit a [support ticket](https://temporalsupport.zendesk.com/).

{/* How to update an account-level role in Temporal Cloud using Web UI */}

### How to update an account-level role using Web UI

1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page, select the user.
1. On the user profile page, select **Edit User**.
1. On the **Edit User** page in **Account Level Role**, select the role.
1. Select **Save**.

{/* How to update an account-level role in Temporal Cloud using tcld */}

### How to update an account-level role using tcld

For details, see the [tcld user set-account-role](/cloud/tcld/user/#set-account-role) command.

## How to update Namespace-level permissions in Temporal Cloud {#update-permissions}

You can update Namespace-level [permissions](#namespace-level-permissions) by using either Web UI or tcld.

{/* How to update Namespace-level permissions for a Namespace in Temporal Cloud using Web UI */}

### How to use the Web UI to update a user's permissions across multiple Namespaces

1. In Temporal Web UI, select **Namespaces** in the left portion of the window.
1. On the **Namespaces** page, select the Namespace.
1. If necessary, scroll down to the list of permissions
1. On the user profile page in **Namespace permissions**, select the Namespace.
1. On the Namespace page in **Account Level Role**, select the role.
1. Select **Save**.

{/* How to update Namespace-level permissions for a user in Temporal Cloud using Web UI */}

### How to use the Web UI to update permissions for multiple users within a single Namespace

:::note

A user with the Account Owner or Global Admin account-level [role](#account-level-roles) has Namespace Admin permissions for all Namespaces.

:::

1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page in the **Users** tab, select the user.
1. On the user profile page, select **Edit User**.
1. On the **Edit User** page in **Namespace permissions**, change the permissions for one or more Namespaces.
1. Select **Save**.

{/* How to update an account-level role in Temporal Cloud using tcld */}

### How to use tcld to update Namespace-level permissions

For details, see the [tcld user set-namespace-permissions](/cloud/tcld/user/#set-namespace-permissions) command.

## How to delete a user from your Temporal Cloud account {#delete-users}

You can delete a user from your Temporal Cloud Account by using either Web UI or tcld.

:::info

To delete a user, a user must have the Account Owner or Global Admin account-level [role](#account-level-roles).

:::

{/* How to delete a user from your Temporal Cloud account using Web UI */}

### How to update an account-level role using Web UI

1. In Temporal Web UI, select **Settings** in the left portion of the window.
1. On the **Settings** page, find the user and, on the right end of the row, select **Delete**.
1. In the **Delete User** dialog, select **Delete**.

You can delete a user in two other ways in Web UI:

- User profile page: Select the down arrow next to **Edit User** and then select **Delete**.
- **Edit User** page: Select **Delete User**.

{/* How to delete a user from your Temporal Cloud account using tcld */}

### How to update an account-level role using tcld

For details, see the [tcld user delete](/cloud/tcld/user/#delete) command.

## Account-level roles and Namespace-level permissions {#account-level-roles-and-namespace-level-permissions}

Temporal account-level roles and Namespace-level permissions provide access to specific Temporal Workflow and Temporal Cloud operational APIs.
The following table provides the API details associated with each account-level role and Namespace-level permission.

:::note

Account Owners and Global Admins have Namespace Admin permissions on all Namespaces.

:::

#### Account-level role details

This table provides API-level details for the permissions granted to a user through account-level roles. These permissions are configured per user.

| Permission                        | Read-only | Developer | Finance Admin | Global Admin | Account Owner |
| --------------------------------- | --------- | --------- | ------------- | ------------ | ------------- |
| CountIdentities                   | ✔         | ✔         | ✔             | ✔            | ✔             |
| CreateAPIKey                      | ✔         | ✔         | ✔             | ✔            | ✔             |
| CreateNamespace                   |           | ✔         |               | ✔            | ✔             |
| CreateServiceAccount              |           |           |               | ✔            | ✔             |
| CreateServiceAccountAPIKey        |           |           |               | ✔            | ✔             |
| CreateStripeCustomerPortalSession |           |           | ✔             |              | ✔             |
| CreateUser                        |           |           |               | ✔            | ✔             |
| DeleteAPIKey                      | ✔         | ✔         | ✔             | ✔            | ✔             |
| DeleteServiceAccount              |           |           |               | ✔            | ✔             |
| DeleteUser                        |           |           |               | ✔            | ✔             |
| GetAccount                        | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetAccountFeatureFlags            | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetAccountLimits                  | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetAccountSettings                | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetAccountUsage                   |           |           |               | ✔            | ✔             |
| GetAPIKey                         | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetAPIKeys                        | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetAsyncOperation                 | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetDecodedCertificate             | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetIdentities                     | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetIdentity                       | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetNamespaces                     | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetNamespacesUsage                |           |           |               | ✔            | ✔             |
| GetRegion                         | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetRegions                        | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetRequestStatus                  | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetRequestStatuses                |           |           |               | ✔            | ✔             |
| GetRequestStatusesForNamespace    | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetRequestStatusesForUser         | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetRoles                          | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetRolesByPermissions             | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetServiceAccount                 | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetServiceAccounts                | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetStripeInvoice                  |           |           | ✔             |              | ✔             |
| GetUser                           | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetUsers                          | ✔         | ✔         | ✔             | ✔            | ✔             |
| GetUsersWithAccountRoles          | ✔         | ✔         | ✔             | ✔            | ✔             |
| InviteUsers                       |           |           |               | ✔            | ✔             |
| ListCreditLedgerEntries           |           |           | ✔             |              | ✔             |
| ListGrants                        |           |           | ✔             |              | ✔             |
| ListMetronomeInvoices             |           |           | ✔             |              | ✔             |
| ListMetronomeInvoicesForNamespace |           |           | ✔             |              | ✔             |
| ListNamespaces                    | ✔         | ✔         | ✔             | ✔            | ✔             |
| ListPromotionGrantBalances        |           |           | ✔             |              | ✔             |
| ResendUserInvite                  |           |           |               | ✔            | ✔             |
| SetAccountSettings                |           |           |               | ✔            | ✔             |
| SyncCurrentUserInvite             | ✔         | ✔         | ✔             | ✔            | ✔             |
| UpdateAccount                     |           |           |               | ✔            | ✔             |
| UpdateAPIKey                      | ✔         | ✔         | ✔             | ✔            | ✔             |
| UpdateServiceAccount              |           |           |               | ✔            | ✔             |
| UpdateUser                        |           |           |               | ✔            | ✔             |

#### Namespace-level permissions details

This table provides API-level details for the permissions granted to a user through Namespace-level permissions.
These permissions are configured per Namespace per user.

| Permission                         | Read | Write | Namespace Admin |
| ---------------------------------- | ---- | ----- | --------------- |
| CountWorkflowExecutions            | ✔    | ✔     | ✔               |
| CreateExportSink                   |      | ✔     | ✔               |
| CreateSchedule                     |      | ✔     | ✔               |
| DeleteExportSink                   |      | ✔     | ✔               |
| DeleteNamespace                    |      | ✔     | ✔               |
| DeleteSchedule                     |      | ✔     | ✔               |
| DescribeBatchOperation             | ✔    | ✔     | ✔               |
| DescribeNamespace                  | ✔    | ✔     | ✔               |
| DescribeSchedule                   | ✔    | ✔     | ✔               |
| DescribeTaskQueue                  | ✔    | ✔     | ✔               |
| DescribeWorkflowExecution          | ✔    | ✔     | ✔               |
| FailoverNamespace                  |      |       | ✔               |
| GetExportSink                      | ✔    | ✔     | ✔               |
| GetExportSinks                     | ✔    | ✔     | ✔               |
| GetNamespace                       | ✔    | ✔     | ✔               |
| GetNamespaceUsage                  | ✔    | ✔     | ✔               |
| GetReplicationStatus               | ✔    | ✔     | ✔               |
| GetSearchAttributes                | ✔    | ✔     | ✔               |
| GetUsersForNamespace               | ✔    | ✔     | ✔               |
| GetWorkerBuildIdCompatibility      | ✔    | ✔     | ✔               |
| GetWorkerTaskReachability          | ✔    | ✔     | ✔               |
| GetWorkflowExecutionHistory        | ✔    | ✔     | ✔               |
| GetWorkflowExecutionHistoryReverse | ✔    | ✔     | ✔               |
| GlobalizeNamespace                 |      |       | ✔               |
| ListBatchOperations                | ✔    | ✔     | ✔               |
| ListClosedWorkflowExecutions       | ✔    | ✔     | ✔               |
| ListExportSinks                    | ✔    | ✔     | ✔               |
| ListFailoverHistoryByNamespace     | ✔    | ✔     | ✔               |
| ListOpenWorkflowExecutions         | ✔    | ✔     | ✔               |
| ListReplicaStatus                  | ✔    | ✔     | ✔               |
| ListScheduleMatchingTimes          | ✔    | ✔     | ✔               |
| ListSchedules                      | ✔    | ✔     | ✔               |
| ListTaskQueuePartitions            | ✔    | ✔     | ✔               |
| ListWorkflowExecutions             | ✔    | ✔     | ✔               |
| PatchSchedule                      |      | ✔     | ✔               |
| PollActivityTaskQueue              |      | ✔     | ✔               |
| PollWorkflowTaskQueue              |      | ✔     | ✔               |
| QueryWorkflow                      | ✔    | ✔     | ✔               |
| RecordActivityTaskHeartbeat        |      | ✔     | ✔               |
| RecordActivityTaskHeartbeatById    |      | ✔     | ✔               |
| RenameCustomSearchAttribute        |      | ✔     | ✔               |
| RequestCancelWorkflowExecution     |      | ✔     | ✔               |
| ResetStickyTaskQueue               |      | ✔     | ✔               |
| ResetWorkflowExecution             |      | ✔     | ✔               |
| RespondActivityTaskCanceled        |      | ✔     | ✔               |
| RespondActivityTaskCanceledById    |      | ✔     | ✔               |
| RespondActivityTaskCompleted       |      | ✔     | ✔               |
| RespondActivityTaskCompletedById   |      | ✔     | ✔               |
| RespondActivityTaskFailed          |      | ✔     | ✔               |
| RespondActivityTaskFailedById      |      | ✔     | ✔               |
| RespondQueryTaskCompleted          |      | ✔     | ✔               |
| RespondWorkflowTaskCompleted       |      | ✔     | ✔               |
| RespondWorkflowTaskFailed          |      | ✔     | ✔               |
| SetUserNamespaceAccess             |      |       | ✔               |
| SignalWithStartWorkflowExecution   |      | ✔     | ✔               |
| SignalWorkflowExecution            |      | ✔     | ✔               |
| StartBatchOperation                |      | ✔     | ✔               |
| StartWorkflowExecution             |      | ✔     | ✔               |
| StopBatchOperation                 |      | ✔     | ✔               |
| TerminateWorkflowExecution         |      | ✔     | ✔               |
| UpdateExportSink                   |      | ✔     | ✔               |
| UpdateNamespace                    |      | ✔     | ✔               |
| UpdateSchedule                     |      | ✔     | ✔               |
| UpdateUserNamespacePermissions     |      |       | ✔               |
| ValidateExportSink                 |      | ✔     | ✔               |
| ValidateGlobalizeNamespace         |      |       | ✔               |

Account Owners and Global Admins will have Namespace Admin permissions on Namespaces.
